I'm trying to allow specific resources to pass a check if their tag values match an array of values.
I originally asked this question - Rego - Pass if value in set is in allowed_values set - However that simple example didn't exactly translate to the problem I had when trying to evaluate the tags.
I've created this 'working' example and would like to know how it can be done in a more proper way. https://play.openpolicyagent.org/#L8
package tagtesting
import future.keywords
passing_1_resource_tags := {
"Environment": "dev",
"Name": "name1",
"Test": "test"
}
passing_2_resource_tags := {
"Environment": "dev",
"Name": "name1",
"Test": "test"
}
failing_resource_tags := {
"Environment": "xxx",
"Name": "xxx",
"Test": "test"
}
exception_tags := {
"Environment" : ["dev", "int"],
"Name" : ["name1"]
}
tag_exception_check(resource_tags) := {
item |
# Check if resource tag key matches for exception tag key
some key in object.keys(resource_tags)
key in object.keys(exception_tags)
# Check matching keys for resource_tag value against exception values
resource_tags[key] in exception_tags[key]
item := key
}
passing_1_policy[result] {
tag_exception_check(passing_1_resource_tags) == set()
true
result := "policy_failed"
}
passing_2_policy[result] {
tag_exception_check(passing_2_resource_tags) == set()
true
result := "policy_failed"
}
failing_policy[result] {
tag_exception_check(failing_resource_tags) == set()
true
result := "policy_failed"
}
Output :
{
"exception_tags": {
"Environment": [
"dev",
"int"
],
"Name": [
"name1"
]
},
"failing_policy": [
"policy_failed"
],
"failing_resource_tags": {
"Environment": "xxx",
"Name": "xxx",
"Test": "test"
},
"passing_1_policy": [],
"passing_1_resource_tags": {
"Environment": "dev",
"Name": "name1",
"Test": "test"
},
"passing_2_policy": [],
"passing_2_resource_tags": {
"Environment": "dev",
"Name": "name1",
"Test": "test"
}
}